Terms / Topics Flashcards
Know the elements of AAA services:
AAA is composed of identification, authentication, authorization, auditing, and accountability.
Be able to explain how identification works:
Identification is the process by which a subject professes an identity and accountability is initiated. A subject must provide an identity to a system to start the process of authentication, authorizations, and accountability.
Understand the process of authentication:
Authentication is the process of verifying or testing that a claimed identity is valid. Authentication requires information from the subject that must exactly correspond to the identity indicated.
Know how authorization fits into a security plan:
Once a subject is authenticated, its access must be authorized. The process of authorization ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity.
Be able to explain the auditing process:
Auditing is the programmatic means by which subjects are held accountable for their actions while authenticated on a system through the documentation or recording of subject activities.
Be able to explain nonrepudiation:
Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred. It prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event.
Know about defense in depth:
Defense in depth, also known as layering, is simply the use of multiple controls in a series. Using a multilayered solution allows for numerous different controls to guard against whatever threats come to pass.
Be able to explain the concept of abstraction:
Abstraction is used to collect similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. It adds efficiency to carrying out a security plan.
Understand data hiding:
Data hiding is exactly what it sounds like: preventing data from being discovered or accessed by a subject. It is often a key element in security controls as well as in programming.
Know about security boundaries:
A security boundary is the line of intersection between any two areas, subnets, or environments that have different security requirements or needs.
Understand security governance:
Security governance is the collection of practices related to supporting, defining, and directing the security efforts of an organization.
Know about third-party governance:
Third-party governance is the system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements. The actual method of governance may vary, but it generally involves an outside investigator or auditor.
Understand documentation review:
Documentation review is the process of reading the exchanged materials and verifying them against standards and expectations. In many situations, especially related to government or military agencies or contractors, failing to provide sufficient documentation to meet requirements of third-party governance can result in a loss of or a voiding of authorization to operate (ATO).
Understand alignment of security function to business strategy, goals, mission, and objectives:
Security management planning ensures proper creation, implementation, and enforcement of a security policy. Security management planning aligns the security functions to the strategy, goals, mission, and objectives of the organization. This includes designing and implementing security based on business cases, budget restrictions, or scarcity of resources.
Know what a business case is:
A business case is usually a documented argument or stated position in order to define a need to make a decision or take some form of action. To make a business case is to demonstrate a business-specific need to alter an existing process or choose an approach to a business task. A business case is often made to justify the start of a new project, especially a project related to security.
Understand security management planning:
Security management is based on three types of plans: strategic, tactical, and operational. A strategic plan is a long-term plan that is fairly stable. It defines the organization’s goals, mission, and objectives. The tactical plan is a mid-term plan developed to provide more details on accomplishing the goals set forth in the strategic plan. Operational plans are short-term and highly detailed plans based on the strategic and tactical plans.
Know the elements of a formalized security policy structure:
To create a comprehensive security plan, you need the following items in place: a security policy, standards, baselines, guidelines, and procedures.
Understand organizational process:
Security governance needs to address every aspect of an organization. This includes the organization processes of acquisitions, divestitures, and governance committees.
Understand key security roles:
The primary security roles are senior manager, security professional, asset owner, custodian, user, and auditor.
Know the basics of COBIT:
Control Objectives for Information and Related Technology (COBIT) is a security concept infrastructure used to organize the complex security solutions of companies.
Understand due diligence and due care:
Due diligence is establishing a plan, policy, and process to protect the interests of an organization. Due care is practicing the individual activities that maintain the due diligence effort. Due diligence is knowing what should be done and planning for it; due care is doing the right action at the right time.
Know the basics of threat modeling:
Threat modeling is the security process where potential threats are identified, categorized, and analyzed. Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. Key concepts include:
- Focused on assets, attackers, and/or software
- STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service [DoS], Elevation of privilege)
- PASTA (Process for Attack Simulation and Threat Analysis)
- VAST (Visual, Agile, and Simple Threat)
- Diagramming
- Reduction/decomposing
- DREAD (Damage potential, Reproducibility, Exploitability, Affected Users, Discoverability)
Understand supply chain risk management (SCRM) concepts:
SCRM is a means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements to their business partners. SCRM includes evaluating risks associated with hardware, software, and services; performing third-party assessment and monitoring; establishing minimum security requirements; and enforcing service-level requirements.
Written Lab (CH 1, pg 36): Discuss and describe the CIA Triad
Written Lab (CH 1, pg 36): What are the requirements to hold a person accountable for the actions of their user account?
Written Lab (CH 1, pg 36): Name the six primary roles as defined by the (ISC)2 for CISSP
Written Lab (CH 1, pg 36): What are the four components of a complete organizational security policy and their basic purpose?
S-T-R-I-D-E
Spoofing, tampering, repudiation, information disclosure, denial of service (DoS), Elevation of privilege
Spoofing
An attack with the goal of gaining access to a target system through the use of a falsified identity. When an attacker spoofs their identity as a valid or authorized entity, they are often able to bypass filters and blockades against unauthorized access.
Tampering
Any action resulting in authorized changes or manipulation in data, whether in transit or in storage.
Repudiation
The ability of a user or attacker to deny having performed an action or activity my maintaining plausible deniability. Repudiation attacks can also result in innocent third parties being blamed for security violations.
Information disclosure
The revelation or distribution of private, confidential, or controlled information to external or unauthorized entities.
Denial of Service (DoS)
An attack that attempts to prevent authorized use of a resource. This can be done through flaw exploitation, connection overloading, or traffic flooding.
Elevation of privilege
An attack where a limited user account is transformed into an account with greater privileges, powers, and access.
P-A-S-T-A
Process for Attack Simulation and Threat Analysis.
This is a seven-stage threat modeling methodology. Aimed at developing countermeasures based on the value of the asset to be protected.
Name the seven steps of P-A-S-T-A
Stage 1: Definition of the Objectives (DO) for the Analysis of Risks
Stage 2: Definition of the Technical Scope (DTS)
Stage 3: Application Decomposition and Analysis (ADA)
Stage 4: Threat Analysis (TA)
Stage 5: Weakness and Vulnerability Analysis (WVA)
Stage 6: Attack Modeling & Simulation (AMS)
Stage 7: Risk Analysis & Management (RAM)
Six key principles of COBIT:
- Provide Stakeholder Value
- Holistic Approach
- Dynamic Governance System
- Governance Distinct from Management
- Tailored to Enterprise Needs
- End-to-End Governance System
NIST 800-53
Contains U.S. government-sourced general recommendations for organizational security.
The Center for Internet Security (CIS)
Provides OS, application, and hardware security configuration guides.
NIST Risk Management Framework (RMF)
Establishes mandatory requirements for federal agencies. The RMF has six phases: Categorize, Select, Implement, Assess, Authorize, and Monitor.
NIST Cybersecurity Framework (CSF)
Designed for critical infrastructure and commercial organizations, and consists of five functions: identify, protect, detect, respond, and recover. It is a prescription of operational activities that are to be performed on an ongoing basis for the support and improvement of security over time.
International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) 27000 family group.
An international standard that can be the basis of implementing organizational security and related management practices.
Information Technology Infrastructure Library (ITIL)
Initially crafted by the British government, is a set of recommended best practices for optimization of IT services to support business growth, transformation, and change. ITIL focuses on understanding how IT and security need to be integrated with an aligned to the objectives of an organization. ITIL and operational processes are often used as a starting point for the crafting of a customized IT security solution within an established infrastructure.
Acceptable Use Policy (AUP)
A commonly produced document that exists as part of the overall security documentation infrastructure.
V-A-S-T
A threat-modeling concept that integrates threat and risk management into an Agile programming environment on a scalable basis.
Five key processes in Decomposition (Reduction analysis):
Trust boundaries, Dataflow paths, Input points, Privileged operations, Details about Security Stance and Approach
CEO
Chief Executive Officer
CISO
Chief Information Security Officer
Defense in depth alternate terms
Classifications, zones, realms, compartments, silos, segmentations, lattice structure, protection rings.
Understand that humans are a key element in security
Humans are often considered the weakest element in any security solution. No matter what physical or logical controls are deployed, humans can discover ways to avoid them, circumvent or subvert them, or disable them. However, people can also become a key security asset when they are properly trained and are motivated to protect not only themselves but the security of the organization as well.
